A Content-Security Policy (CSP) is an allow-list mechanism that a web application can provide to browsers to restrict requests originating from one
of its own web pages.
This is a semicolon-delimited string whose each entry is a policy of the form <directive> <value>.
value can be 'none', 'self', or other hardcoded locations. For example:
Additionally, the directive frame-ancestors can be used to restrict which pages can embed a given page, in order to prevent clickjacking.
What is the potential impact?
CSP injection occurs when an application unsafely retrieves data from an incoming request and reflects it into the Content-Security Policy (CSP)
headers of the response without sanitization.
This means that an a third-party can add new directives or change existing directives and enable uncontrolled execution of scripts or other
dangerous elements within a webpage.
Once unsafe policies are created, they pave the way to attacks on vulnerabilities which could have been deemed harmless otherwise, such as XSS or
clickjacking.
